MACLOCK preventing unauthorized mac address

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Hi.

I want to configure port's B5 (firmware 6.81) something like Cisco port security. I want statically provisioning a mac port lock. I configure this:

set maclock enable
set maclock trap ge.6.30 enable violation
set maclock syslog ge.6.30 enable violation
set maclock static ge.6.30 1
set maclock 00:1d:70:96:8c:1c ge.6.30 create

If an other device with a diferent mac address conect in this port, port go to down.

This way don't work, I tested. 

Anyone can help me.

Thks.
Photo of Paulo Silva

Paulo Silva

  • 480 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,404 Points 20k badge 2x thumb
I'm not an expert but I think you'd need this command ...

# set maclock disable-port

If it doesn't work could you provide a screenshot of "show maclock"

-Ron
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,404 Points 20k badge 2x thumb
That works for me.....

G3(su)-> show config maclock
#maclock
set maclock enable
set maclock static ge.1.8 1
set maclock firstarrival ge.1.8  0
set maclock disable-port ge.1.8
set maclock enable ge.1.8
set maclock 00:1d:70:96:8c:1c ge.1.8 create
!



G3(su)->show maclock ge.1.8
MAC locking is globally enabled

Port     Port Trap     Syslog   Aging Port     Clr Max Max  Last Violating
Number   Stat Thr|Viol Thr|Viol Stat  Dis|Viol OLC Stc FA   MAC Address
-------- ---- -------- -------- ----  -------- --- --- ---- -----------------
ge.1.8   ena  dis|dis  dis|dis  dis   ena|ena  ena 1   0    00:04:96:8b:d2:98




G3(su)->show port status ge.1.8
          Alias        Oper    Admin   Speed
Port      (truncated)  Status  Status  (bps)     Duplex  Type
--------- ------------ ------- ------- --------- ------- ------------
ge.1.8    XOS_X430     Down    Up      N/A       N/A     BaseT RJ45/PoE
G3(su)->
Photo of Paulo Silva

Paulo Silva

  • 480 Points 250 badge 2x thumb
Hi Ronald.

I configured "set maclock disable-port", but don't work. I configured "set maclock firstarrival ge.6.30 1 " too, it works in case more than 2 mac address try to conect the port, a switch for example. 

Screenshot of "show maclock":

Photo of Paulo Silva

Paulo Silva

  • 480 Points 250 badge 2x thumb
Ronald now works.

Did you note my configuration "set maclock firstarrival ge.6.30 1 " ?

When I saw your configuration set maclock firstarrival ge.1.8  0

Then I changed and ok. Port locked when the different mac address showed up. 

Thks Ronald.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,404 Points 20k badge 2x thumb
Great, glad that I was able to help.

-Ron
Photo of Paulo Silva

Paulo Silva

  • 480 Points 250 badge 2x thumb
Thks again Ronald.

:)
Photo of Paulo Silva

Paulo Silva

  • 480 Points 250 badge 2x thumb
Hi, Ronald.

Another help.

Look what has happened. The mac address marked "last violation" not connected, like this mac address is prohibited.



Do you know, how can I clear this entry?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,404 Points 20k badge 2x thumb
You could clear the violation with this command....

G3(su)->clear maclock violation disable-port ge.1.8
Photo of Paulo Silva

Paulo Silva

  • 480 Points 250 badge 2x thumb
I did this, but don't clear.

If I configure port firstarrival 0, the device with this mac don't work. 

SW_B5_7B(su)->show mac port ge.6.30             
No entries found.

Thks again for your help.
Photo of Paulo Silva

Paulo Silva

  • 480 Points 250 badge 2x thumb
Ronald, I understand.

I have to create each mac address I want to connect in this port.
When a change to happen, I will create a new entry and delete an old mac.

set maclock 00:0e:08:d4:c7:9f ge.6.30 create
set maclock 00:1d:70:96:8c:1c ge.6.30 create

What do you think? Is it correct?